Html executable 4 edition portable
- #Html executable 4 edition portable portable#
- #Html executable 4 edition portable software#
- #Html executable 4 edition portable code#
Any important code or data used by the PE is kept within a designated section. PE SECTIONS describe what sections exist within the file and where they are located. PE HEADER BASIC INFO for clean file (left) and infected file (right) PE SECTIONS One could speculate that this is a variant from the original one, was included in this exe, and is currently in circulation around the web. This particular file contains the Bladabindi malware, with detection records dating back to 2012. Conversely, the file that contained malware, FD5A4, was compiled just a few months ago. The file created by Microsoft, 7F7BC, was compiled in 1997, which makes sense given how long Microsoft has been around. By looking at the compile time for each file, you will notice something that seems a little suspicious. In our examples, both files were intended to run on the x86 architecture. This shows the number of sections in the file, the operating system the file is intended for and when the file was compiled. Think of this metadata as metadata of the PE.
#Html executable 4 edition portable portable#
PE HEADER BASIC INFORMATION contains metadata specific to the portable executable. I will be expanding on this topic in a future blog post that will talk about counterfeiting digital signatures.ĪUTHENTICODE SIGNATURE BLOCK info for clean file results PE HEADER BASIC INFORMATION Unfortunately, just as there are ways to counterfeit a signature in real-life, there is also a way to fake digital signatures. To no surprise, the infected file FD5A4 has no signature available for validation, as an anonymous malware writer would most likely prefer not to share signature information.
#Html executable 4 edition portable software#
By using this information, anyone who wants to run this file will know that Microsoft, a reputable software company, were the ones to originally create the file.
In our examples, Microsoft was the signee for the clean file, 7F7BC. This is especially important when it comes to identifying forgery and tampering. Signature information is similar to the way we sign things in real-life: a way to validate who we are. AUTHENTICODE SIGNATURE BLOCKĪUTHENTICODE SIGNATURE BLOCK contains digital signature information for a file. Now let's take a look at each group in more detail. I will be using two examples, both mentioned in our release: a legitimate clean file created by Microsoft, and an infected file that is detected by over 15 anti-malware engines.Ĭlean File: 7F7BC59F453539194C2D38FD68FB2B4BEB3C1B5B5273CEC1B7DD1150B0EA929D (aka 7F7BC) Now that this additional information is available on Metascan® Online, I wanted to go over and describe the meaning of the information at a high-level. Moreover, we empowered our developers to gain access to this new data through our hash lookup API. These details all help to develop better context around the file.Ī few weeks back, we released more metadata in our scan results, starting with portable executable information. PE (Portable Executable) information gives more insight about the files themselves, such as who the file is signed by, the associated DLLs (Dynamically Linked Libraries) that get downloaded, etc.